[29939] in Kerberos
Re: Principal attributes and policy in LDAP Realm
daemon@ATHENA.MIT.EDU (Ken Raeburn)
Mon Jun 9 08:42:53 2008
From: Ken Raeburn <raeburn@mit.edu>
To: "Savitha R" <rsavitha@novell.com>
In-Reply-To: <484D3CBD.C217.0053.0@novell.com>
Message-Id: <72CB359C-ABDC-41D6-98B6-47FA4EAA8208@mit.edu>
Mime-Version: 1.0 (Apple Message framework v924)
Date: Mon, 9 Jun 2008 08:42:06 -0400
Cc: kerberos@mit.edu
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
On Jun 9, 2008, at 04:52, Savitha R wrote:
>>>> On Sat, Jun 7, 2008 at 1:46 AM, in message
> <1212783367.27162.15.camel@klausk.br.ibm.com>, Klaus Heinrich Kiwi
> <klausk@linux.vnet.ibm.com> wrote:
>> Hi,
>>
>> I hav some questions regarding how data is organized when using the
>> LDAP KDB plugin for a realm. I hope this is the right place to ask.
>>
>> I have a Realm set-up using the LDAP backend. First thing is: when
>> querying a principal using kadmin, why attributes such as 'Last
>> [successful,failed] authentication' and 'Failed password attempts'
>> are
>> never filled-up? After failing some authentication attempts I have
>> the
>> following:
>> ...
>> Last modified: Fri Jun 06 16:24:09 BRT 2008 (klaus/admin@MYREALM)
>> Last successful authentication: [never]
>> Last failed authentication: [never]
>> Failed password attempts: 0
>> ...
>>
> These attributes are updated only when the KDC is built with the
> "--with-kdc-kdb-update" option.
Which, unfortunately, doesn't seem to work since the DAL merge that
made the use of LDAP possible (e.g., RT tickets 5668, 5716 -- the
latter has a patch I haven't had a chance to evaluate).
This probably should be made a runtime option -- or at least, have the
configure-time option set a flag checked by code that's always
compiled in.
Ken
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
